Re: [bitcoin-dev] Should Graftroot be optional?

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: Anthony Towns <aj@erisian.com.au>
To: Pieter Wuille <pieter.wuille@gmail.com>,
	Bitcoin Protocol Discussion
	<bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Should Graftroot be optional?
Date: Wed, 27 Jun 2018 17:29:09 +1000	[thread overview]
Message-ID: <20180627072909.5hqnl4kfrnqfvhc4@erisian.com.au> (raw)
In-Reply-To: <CAPg+sBgEUV5KNFi1L4MhR-3KAX9gbQKdzWneaEzF+QsKSXYu8A@mail.gmail.com>

On Thu, May 31, 2018 at 05:25:04PM -0700, Pieter Wuille via bitcoin-dev wrote:
> The best argument for why Graftroot does not need to be optional I
> think was how Greg put it: "since the signer(s) could have signed an
> arbitrary transaction instead, being able to delegate is strictly less
> powerful.".

This seems persuasive to me. I think you could implement graftroot in
a way that makes this explicit:

 * A graftroot input has >=2 items on the witness stack, a signature,
   a script (S), and possibly witness elements for the script. The
   signature has a SIGHASH_GRAFTROOT bit set.

 * To validate the signature, a virtual transaction is constructed:

     nVersion = 1
     locktime = 0
     inputs = [(txhash, txoutidx, 0, "", 0xffffffff)]
     outputs = [(txvalue, len(S), S)]
     locktime = 0

   The signature is then checked against the virtual transaction.

 * If the signature is valid, the virtual transaction is discarded, and
   the script and witness elements are checked against the original tx.

I think this approach (or one like it) would make it clear that
graftroot is a simple optimisation, rather than changing the security
parameters. Some caveats:

 * You'd presumably want to disallow signatures with SIGHASH_GRAFTROOT
   from being used in signatures in scripts, so as not to end up having
   to support recursive graftroot.

 * Checking the script/witness against the original transaction instead
   of the virtual one cheats a bit, but something like it is necessary
   to ensure locktime/csv checks in the script S behave sanely. You
   could have the virtual transaction be treated as being confirmed in
   the same block as the original transaction instead though, I think.

 * You would need to use SIGHASH_NOINPUT (or similar) in conjuction
   to allow graftroot delegation prior to constructing the tx (otherwise
   the signature would be committing to txhash/txoutidx). BIP118 would
   still commit to txvalue, but would otherwise work fine, I think.

Cheers,
aj

     prev parent reply	other threads:[~2018-06-27  7:29 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-22 18:17 [bitcoin-dev] Should Graftroot be optional? Pieter Wuille
2018-05-23  6:15 ` ZmnSCPxj
2018-05-23 13:50 ` Andrew Poelstra
2018-05-23 17:52   ` Andrew Poelstra
2018-05-25  9:46     ` Johnson Lau
2018-05-23 22:06 ` Natanael
2018-05-23 23:45   ` Gregory Maxwell
2018-05-24  9:32     ` Natanael
2018-05-24  1:58 ` Pieter Wuille
2018-05-24  2:08   ` Gregory Maxwell
2018-05-24  9:44     ` Natanael
2018-05-24 12:39       ` Andrew Poelstra
2018-05-25 10:14     ` Johnson Lau
2018-06-01  0:25       ` Pieter Wuille
2018-06-06 12:48         ` Tim Ruffing
2018-06-06 17:04           ` Pieter Wuille
2018-06-06 21:25             ` Tim Ruffing
2018-06-20 12:12               ` ZmnSCPxj
2018-06-20 14:30                 ` Gregory Maxwell
2018-06-21  7:09                   ` ZmnSCPxj
2018-06-27  7:29         ` Anthony Towns [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180627072909.5hqnl4kfrnqfvhc4@erisian.com.au \
    --to=aj@erisian.com.au \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=pieter.wuille@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox